Re: Linux server as it own firewall

From: Seth Arnold (sarnold@wirex.com)
Date: 09/13/01


Date: Thu, 13 Sep 2001 09:21:38 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com
Subject: Re: Linux server as it own firewall
Message-ID: <20010913092138.A30987@wirex.com>

On Wed, Sep 12, 2001 at 01:25:21PM -0400, James Puckett wrote:
> I am considering having the firewall for a Linux server I am building
> running on the server itself using IPTables.

Every time someone mentions firewalls, I always think of a quote I heard
once: "Firewalls are a symptom of broken hosts". (Anyone who knows the
original source of this quote, please let me know privately. :)

Given the rise in services offered over http (SOAP et al :) firewalls
are beginning to be of even more dubious value. (And are partly the
cause of this problem .. by making everything except web traffic
difficult, product designers simply use web traffic. Now, "web traffic"
is much harder to seperate from other stuff, such as SOAP.)

In the end, I say, go ahead and run some firewall software on the host
offering the services. The value of this firewall will mostly come in
the form of dissallowing connections from strange addresses, and
dissallowing outgoing connections coming from strange addresses. (egress
filtering is very kind for the rest of the internet. :)

But don't expect the firewall software on the host to be some sort of
magic security bullet. Your web server (whatever :) is still going to be
listening to port 80, it is still going to answer for nearly everyone
that tries connecting, and if someone finds a buffer overflow in the web
server, it can still be compromised.
 



Relevant Pages

  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SQL clients dropping connections on WAN
    ... I can transfer files over the connections, ... Server, even see the SQL 2000 server. ... The only change made when we did the DSL switch ... The forth server is actually on it's own subnet in the DMZ of the firewall ...
    (microsoft.public.sqlserver.clients)
  • Vista Protocol and Program Networking Issues
    ... connections aren't even getting to the servers I'm trying to connect. ... "failed to connect to the port 22 on SERVER" ... firewall both turned off, and turned on. ... also have worked in and outside the network, ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: Connection Sharing on demand
    ... user has to authenticate for each time they want an Internet service, ... That can be done as a firewall application with lots ... you'd have the user connect to a server ... mentioned blocking inbound connections - that's trivial to do with the ...
    (comp.os.linux.networking)